Symantec™ Security Gateways Reference Guide - Sawmill

Chapter 5Controlling service accessThis chapter includes the following topics:■■FiltersContent filteringFiltersFilters let the administrator discard packets that should not be forwarded or serviced locally. A wellconstructedfilter can reduce a significant portion of undesired traffic, freeing up valuable resources toaddress legitimate connections. Packet filtering is a versatile security gateway feature that is sometimesconsidered complicated because packet filters are order-dependent and use different logic fromauthorization rules, which are based on best fit. Make sure you understand how packet filters work andhow to use them before creating any filters.Understanding filtersA filter is a criteria list and action pairing that consists of the following information:■■■■■■■■The IP address and netmask of the source.The IP address and netmask of the destination.The type of protocol.The lower bound of the source port (if applicable).The upper bound of the source port (if applicable).The lower bound of the destination port (if applicable).The upper bound of the destination port (if applicable).Any protocol-related flags (such as TCP ACK).Each packet is checked against the criteria list to see if there is a match. If the packet matches, the pairedaction takes place; the action either allows or denies the packet. An allow filter sends the packet up thestack to be processed by the proxies. If the packet does not match, or it matches but the action is deny, thepacket is dropped.A filter is processed sequentially until a match is found. It is important to understand that the filteringmechanism only looks for the first matching entry and takes that action; the order of deny and allowactions is significant. Filters are not like rules, where all rules are considered when making a decision toallow or deny. In general, put the most specific filter elements first and more general elements last.Note: With no filter list in place, all packets are allowed by default. If a filter is added to the list, the defaultpolicy changes to deny anything not specifically allowed by the filter. Any packet that fails to match isdropped. For this reason, filters must be constructed with care.